Data is the most valuable economic asset for modern companies and their greatest resource for growth and change. Consequently, safeguarding such data and adhering to the laws and standards of the nations where business operations are conducted is essential. Notably, several national authorities prohibit the storage of confidential personal or corporate information on servers beyond their legal and regulatory jurisdiction, including:
- European Union (EU) – General Data Protection Regulation (GDPR)
- Canada – Canadian Consumer Privacy Protection Act (CCPPA)
- Australia – Privacy Act and Australian Privacy Principles (APP)
- China – Personal Information Protection Law (PIPL)
- Russia – Federal Law on Personal Data
- India – Personal Data Protection Bill
This is the challenge of data sovereignty.
Artificial Intelligence (AI) ‘s continued rise and prevalence somewhat adds to this challenge. AI is perhaps the world’s biggest consumer of data outside of search engines and intelligence agencies. And unlike search engines, AI will be deployed inside a business and consume data previously considered off-limits by such technologies. Generative AI (GenAI) consumes data indiscriminately, and that data is often stored and processed at the AI companies’ discretion, not its users. AI services implemented by many business applications will need to limit the use of this data outside the data sovereignty boundaries as required by the specific country’s regulations.
AI’s exponential and ongoing growth collides with established and emerging privacy and data sovereignty regulations globally, such as GDPR and CCPPA. Businesses must adhere to these policies and balance them with the ongoing business priority to compete using the latest data technologies available. Few businesses (if any) would voluntarily keep their data in a single regulatory domain to make the most of available tools. In reality, most multinational businesses have data residency strategies to store and use data in multiple countries and regions to serve customers and employees better. However, physically locating information in different regions and locations means it might become subject to other data protection laws.
Fortunately, competitive and regulatory balance is achievable for organisations with the right blend of mindset, policy, and tools. Here are five things you must consider to protect data sovereignty as your organisation integrates AI:
Education and Understanding
Ensure data sovereignty issues are front and centre throughout the company and understood and prioritised by everyone. Everyone who creates systems that use or modify data must understand the fundamentals of data sovereignty, which means understanding the business risk of not following policy. It should be an absolute priority to educate employees about data sovereignty and why it matters.
Know Your Data
Data grows as businesses expand, and as it grows, it fragments and ends up in silos. According to Salesforce, the average enterprise now has 1,061 different applications, although only one-third of them are connected. Additionally, Salesforce also discovered that it typically takes 35 applications to support a single customer interaction.
You must know your data. Once employees understand the importance of data sovereignty, the organisation can create and maintain an inventory of the company’s data. In addition to knowing what is in the data, organisations must know the vendors that act on your data.
Internal Communication
It’s essential to be fluent in regional data residency laws and make every effort to comply. The company’s governance team must understand what is in the data, its structure, and what vendors it uses to process it. To protect the company from data sovereignty challenges, you must have systems to manage anonymisation and pseudonymisation when partnering with other companies that process data.
Close Collaboration with Vendors
Enforce vendor compliance. The governance team must work with external vendors to ensure they have specific provisions that comply and align with the company’s policies. As data sovereignty regulations expand, vendors must deliver the data services in compliance with the regulatory frameworks of the regions where the business operates.
Data Unification and AI
To ensure data sovereignty compliance, you must have clean, connected, trusted data. Today’s tools and modern technologies leverage AI/ML capabilities to speed up and enhance data unification to ensure your data is internally consistent. Data unification tools can work more expansively and faster than a manual process.
Today’s modern master data management (MDM) tools also leverage AI to detect data leakage – when data leaves or is at risk of leaving the borders that policy restricts it to. Modern MDM also can trace the entire lineage of data sources the data came from, who contributed changes to it (a particular system or user), who consumed it, and when these actions were taken as the level of visibility we provide. Provenance is an essential capability for managing data products. AI-powered MDM tools can use pattern recognition to spot when a business is leaking personally identifiable information (PII) or other information that needs to be kept within borders.
Healthcare Data
Healthcare systems, such as the NHS, naturally face some of the most restrictive privacy and sovereignty policies, given the nature of the data they work with. Many of today’s healthcare management systems show that it is possible to have flexible and robust data management systems that remain compliant if the systems are designed with data management policies from the outset.
For example, in a healthcare system, each customer (patient) can get a client ID kept locally; any system that needs to attach data to a patient uses only that ID. When data is processed, for billing or analytics or other reasons, the PII stays put; only the necessary information is transmitted.
Prioritise Speed, Agility and Geography
With the right tools and technology partner, a company does not have to slow down to ensure compliance with its own or governmental policies. Instead, the correct tools, approach, and mindset let companies act quickly and seamlessly on emerging issues, such as flagging pop-up data programmes that are against policy before they become entrenched – and while the team is still active on the project and can modify it for compliance.
Data sovereignty regulations vary by country, and they can be incredibly detailed and complex—spanning data privacy, data localisation, data residency, and more. Working with a partner that can manage data in compliance with local privacy regulations around the globe – from Asia-Pacific to North America to Europe is essential for every global organisation today.
Manish is the CEO, Founder and Chairman of Reltio, the first cloud-native, software-as-a-service (SaaS) data platform. An entrepreneur with a vision of the big-picture ways data can drive business and industry transformations, Manish founded Reltio in 2011 to help organisations accelerate the value of their data and deliver on business outcomes. Since its inception, Manish has led Reltio’s evolution from the concept stage to a high-growth company valued at $1.7 billion with more than $100 million in annual revenue (ARR). Reltio unifies multi-source, complex data into a single source of trusted information for enterprise customers in more than 140 countries globally.
During his career, Manish has architected some of the largest and most widely used data management solutions used by most Fortune 500 companies today. Manish previously led product strategy and management for the Master Data Management (MDM) platform at Informatica and Siperian. Manish holds a bachelor’s degree in mechanical engineering from Andhra University College of Engineering.